Comment 0 for bug 1556330

Matthew Hall (mhall-9) wrote :

The following bug from upstream libcurl should be fixed in Ubuntu Stable and Ubuntu LTS trains:

https://sourceforge.net/p/curl/bugs/1371/

The bug fix consists of one missing break statement at the end of a case in a switch statement.

I personally patched the bug using source code release curl_7.35.0-1ubuntu2.6.dsc, used in Ubuntu 14.04 LTS, and verified it does indeed fix the bug and all of the package's tests still pass afterwards.

Impact: The bug makes it impossible to use PKCS#12 secure storage of client certificates and private keys with any affected Ubuntu releases. The fix is one line fixing a broken switch statement and was already tested against Ubuntu 14.04 LTS with a rebuilt curl package.

Testing: The bug can be reproduced using the following libcurl parameters (even via CLI, pycurl, etc.).

CURLOPT_SSLCERTTYPE == "P12"
CURLOPT_SSLCERT = path to PKCS#12
CURLOPT_SSLKEY = path to PKCS#12
CURLOPT_SSLKEYPASSWD = key for PKCS#12 if needed

Basically, just use a PKCS#12 format client certificate and private key against some certificate protected web server.

Regression Potential: If it could possibly break anything, which is extraordinarily unlikely, it would break one of the three client certificate formats (most likely PKCS#12 but also PEM or DER). Note 1/3 formats is already broken due to the bug. Client certificates of all three types could be checked to prevent this.